From patchwork Wed Jun 10 07:40:12 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anders Heimer X-Patchwork-Id: 89617 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7A226CD8CB9 for ; Wed, 10 Jun 2026 07:40:26 +0000 (UTC) Received: from DB3PR0202CU003.outbound.protection.outlook.com (DB3PR0202CU003.outbound.protection.outlook.com [52.101.84.23]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.15043.1781077222723920171 for ; Wed, 10 Jun 2026 00:40:23 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@est.tech header.s=selector1 header.b=Y9wKJPv+; spf=pass (domain: est.tech, ip: 52.101.84.23, mailfrom: anders.heimer@est.tech) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=N8QiycF11iJZ/jgY+cyKAY7bV3VEOHPG+/F7CpTj+SaBdN9OtOVcWJlS4M4vh+OvLOsl4KmC+DbTuwCPHaAr0HK2dWxS/XLoTfBugbCZZGjhz7AYZbKp6e16erhfEpPzaQvioeuH2ScKSnTX4Le4ZW6m3OARlB0GkhwqJpWttiS+DvPFDMxxPnPajiNE0M23fQot5H5vAvsSBggXolXpRE9FDfxSLuw4sSHDwBmBPR+OdJClA8MXcmfqqEmVHazfcQuNTFAP7cCobPAcpSHfOvQdiBKJIn9IZZk4wBkdSNeO5cMOokGdsE0aZRludnGjXTnPAhVjpBZPoCU+zOPXuA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=i6FTlApnLILAsfVnAg0uq2NnJIgMekyWmuIQeD1zpgk=; b=ktezLi6iQzVis2mKVAIQiWVi8qG+wCUm4tU91BrZM6wluGFB1vY8ZeuDiIU0Rgon8dkiy9kcfxZ1X9V2yko41m6OtjQP5XQBFnaj5s5s0vBJ9uhdjZgEHwO5a/7Zl38Pi9MZa8gBSBDO0YXsQLhqOxbcXBe9doUT6ziE/sBV/kZBrym5NwfL9j3sgbBOu8dYxyGE72TCxCyYzWw52SjjQs+ygUUY+zP+U1sn9Zsdi7uBcP9+kBZWbtwGsNjTMwb2hCB4oLvsYNnuToWfbwgsP/ejgF7qQNtPYCsLn6N1NoTNPx7DYXl8EKlaNahm3KVkzXBoOvOYufsX9Sr/wczcvw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=est.tech; dmarc=pass action=none header.from=est.tech; dkim=pass header.d=est.tech; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=est.tech; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i6FTlApnLILAsfVnAg0uq2NnJIgMekyWmuIQeD1zpgk=; b=Y9wKJPv+XXL0y3nQiyOf5XIU07I+k+VLvkqJ+Sek0reXFkWfqRMW/Oudaag8AvQA0DilKGJVrdxmgkDKkRiBZcJfzLE1iSDRPPkNjXVeP2I8Yc96VtKEf8e0UCLDIOL/9U1i2tYldYHmaZpBW9In/o+g/gTUxjiE9cRM6sfWpUVwBrgqGxAYsIdFfpzLju1+x+hJVEA2e197bPp05HfqO8itWUk+RWqKDmPiR4jUYAJOLxfEKneu+/LDFNzbxVAp6WsEvj+n+aaSvnLHz8D8JqhaUNmv2CMGfgh97ee9Ykzpx/htpir5b+pXqGsRDlLVBsDqFc8QWi8WlnyjJOhBBA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=est.tech; Received: from DB9P189MB1641.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:2ac::9) by DBBP189MB1290.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:1e2::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.14; Wed, 10 Jun 2026 07:40:21 +0000 Received: from DB9P189MB1641.EURP189.PROD.OUTLOOK.COM ([fe80::90da:b700:f102:5c82]) by DB9P189MB1641.EURP189.PROD.OUTLOOK.COM ([fe80::90da:b700:f102:5c82%6]) with mapi id 15.21.0113.011; Wed, 10 Jun 2026 07:40:21 +0000 From: Anders Heimer To: bitbake-devel@lists.openembedded.org CC: Anders Heimer Subject: [PATCH 1/2] fetch2/wget: limit auth on checkstatus redirects Date: Wed, 10 Jun 2026 09:40:12 +0200 Message-ID: <20260610074013.558709-2-anders.heimer@est.tech> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260610074013.558709-1-anders.heimer@est.tech> References: <20260610074013.558709-1-anders.heimer@est.tech> X-ClientProxiedBy: DB9PR02CA0013.eurprd02.prod.outlook.com (2603:10a6:10:1d9::18) To DB9P189MB1641.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:2ac::9) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9P189MB1641:EE_|DBBP189MB1290:EE_ X-MS-Office365-Filtering-Correlation-Id: e7503e43-6953-4339-c557-08dec6c38687 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|1800799024|23010399003|366016|22082099003|18002099003|11063799006|56012099006; X-Microsoft-Antispam-Message-Info: 30inOtIjmhinNuPySFgLkBP8ar/PWVvLhXssbHxf3+sd0u5pFk/9VWr6Yq3dk9dT9uDKYc3NvKA6XMpErVOWHDcUTg5LXRKu+arQmsbYKyTFvcA0nuDbXvZnsCwARV1oAJ/hK1QzDg0B+OmKF0pocKLdM3oHw+JJfTj/VIRD2JARwewzRABySqrwkDBTMArZ1l1DduG/SXgWXAFSntIKY6zZmNLKRSCC9nLft4NTlKPBOfhzo9zKNJuZTMIGyXXFBGT8rUnyf87vL4I/YrByNgzhbpdowe7h4x3TlGmOszx7wzqUUrgAtL2ODrDuZgzTHIATAlHTO2E2/vWWZE8w6if2kbbuiQKkg8Ev7+bG7nav9RgGePFOGPMn45uOWZLFni3e2LmcojU1l17EvOD32M3LPII3UkhbuNzi4rDcO0djQsTpCSO7FswA7FLqbhxAdmvVbgxqtp4PBYqJA1ss7Ipf29nqi6Y+ySiVPaHDRPjAv/14NCzlE5p9AuHMVDEcQDoL8u+jR/EqPCi+JTjiWWXX3YxdY5aggB9IqmlYGRR5c8tKQUX+DLkE9KhFJ9HulAMI1wv+Qll+9yIN5GOQDDSG/xo21n+YoWuc2TLu6qa/PW03eum0GLYj8EXMZ14KUYhcqwLDNe4lXJwcy6FyAYxNBVXxiPwqpD+2duSCXH2UmagczW0AlfuKzN/YSaDy X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9P189MB1641.EURP189.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(23010399003)(366016)(22082099003)(18002099003)(11063799006)(56012099006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Gf+uJ0x7urQfuLWdqKanFFScWv89gQVSIE0Lb63dhPJ5yy5LHNl90+ZqaNz3zYxg1CiNQ2JXXcEhI4LoK1RmlkQJP+H5DQ5gimSaQh7+KSwmxYTnUizhm8sZedilFjMZd3V/9NB46rw7y2mbAKIpDHFeW0LZAPfKr2lr/Q5uauQo1AngFTHh1omMkphPEq6ZXEdYavUDDCgaA2cHavvuuZd+ghnCaT1iq2EanvD9/zFVOjdbC0DO9BkCxi75YMbGWOY2kXIdCE/fKSI6uqjKn0njCj6GH4qMbJxxmiqwVcn9YZ3FD3rHjkIm1F0pFEhkRCYx0y3pxSvaaPlqAYVIhmKcwPgECGuFVEOSuvA5u+s4xZh38PUUDKqWiG4YUP+f6PDs1j7fKaRqMT73NTGODR5fu4oUH0LFDRsMNKWEwP9xIAw4NrDimJJstfBsG1KG4DgG7zgz1Tc/WixUQlSryZEMcnWD1+iLGh8Fb7DjQdXZR2c7dBYPLm/2Rtp7t6MOlt2qffUvD18whNx9Vdv+qh4JP3Zt6OMlXQcidy0+RTf0Lg3mYzEDJMAKVAVtYZsCwKU7NhEpJQ61XiYxW27bzaUXDVxPBYwG5w9zhReTHLwS21o+sbkCp3OYyReWzWjrOdc9mTV6yRovjexaD6moQgR2fmH4t1iKS5cqcdvaf4iSLeijlT31RK8+Z20/LksheTbCr/s04gpP5ii/lGfAydMr7JJOGs0HwID5fsoOXd2F0ZGiJgCmoNthVBWSZVsPpvJMU4lwMW6I29BHF7ppAnzxwWwQR1H/nk/THq9bdVwnXaZcyhPEdqAXj+qoc5Fee4YND629hcYdVqyV7FUqUT7cXMf46UZ68l/VXsq2bNyGQTq51J8gWJDU1zydkIXAWCkqZNBy4Zt6wudnuhSGpp13uIiBtl/uh1Ia9hfVDo16bRPasZu2ijw55bPzseJszx7+1cB4Ad0mQkVJwgxJ0QtVdghsDdQ3n8ehuRaamdOWrMrSg7dV9r+coEo7hxFggBlbzE4HBqEcpSv7M2npc8dTFPhCfNQq8Bt7ZahSw5Zm+V0+u1zPXokPmwUzdFDSkWBZpaq43D74dRMWVhpDdNEbleToUD9rj8UulP5SRDdquiVvBhGn78IUJPZ3DE7Z65CjrzXknBgIp3KE5R3WwpL4KvxYp1ouVNYkW8iRMISMf6ctaqRPM2FZXs/26Z777YLznED5F9uK31EB+z+4UzOP7/H6jX2wBqej3sAqhRBZBMpMvu684EUSHHUp+r8LdpKO/XMIu9oSdna7hyxMjpiroZdk23xdP606B8UgA5ELBRy69fJsEZbcSPo53ZRl/BDs9JI84EwnbCW8QyqApAanRRF7njcrdowb8QrQf2t8CLNS8RAT9XWt9/ByM/jJAXa+VweDlHUQGVcy+UKFQlyCLMtyM8m7N/d4hMiI8BI2p3JfF1lKoFFv5ahulj2/NEnRHV248/0g3sq2Y814rq1oK98/xbq7p6dFfvxlzuRSHm/6risxH8lI+AYOJ/tcqTg4mtOBq9+eb7UL95t1lXuiIFllAwfvu4KddCC5LLb35I6mlcibM0cWb4ae8wjSFiWfLc6M1dpOXKnu8DzMlP9RAzVwwaAY1WdwpwSgIloOpXnRIxjNK5WewUvwFxe6cqVSTbeF6dG8kesLqPb8Kt8wXBXdMeEZzTV0WKwsK1RkvJTVC6y1aB4bqA2mtUzuoPtjC+VXDpZNYpmEsoGV6g== X-OriginatorOrg: est.tech X-MS-Exchange-CrossTenant-Network-Message-Id: e7503e43-6953-4339-c557-08dec6c38687 X-MS-Exchange-CrossTenant-AuthSource: DB9P189MB1641.EURP189.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jun 2026 07:40:21.1977 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d2585e63-66b9-44b6-a76e-4f4b217d97fd X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Ov4Y37fyyK9PRmNQJ27T+X/fwttZno4tkw2y4Rvm5Y9jH1nul2xVm1Dn1iYu/Y8xOLa8fhkLDY2HxWktEhE0gA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBP189MB1290 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 10 Jun 2026 07:40:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/bitbake-devel/message/19637 FixedHTTPRedirectHandler copies request headers when checkstatus() follows a redirect, including Authorization from SRC_URI or .netrc. Keep same-origin redirects unchanged, but drop Authorization and Cookie for different-origin targets (scheme, host and effective port), following RFC 9110 redirect guidance for resource-specific headers. This only affects the Python checkstatus() path; normal wget downloads are unchanged. Signed-off-by: Anders Heimer --- lib/bb/fetch2/wget.py | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/lib/bb/fetch2/wget.py b/lib/bb/fetch2/wget.py index 475f042dd..11b57f2f7 100644 --- a/lib/bb/fetch2/wget.py +++ b/lib/bb/fetch2/wget.py @@ -292,6 +292,18 @@ class Wget(FetchMethod): http_error_403 = http_error_405 + def _url_origin(url): + parsed = urllib.parse.urlsplit(url) + scheme = parsed.scheme.lower() + host = parsed.hostname.lower() if parsed.hostname else "" + port = parsed.port + if port is None: + port = {"http": 80, "https": 443}.get(scheme) + return (scheme, host, port) + + def _same_origin(url_a, url_b): + return _url_origin(url_a) == _url_origin(url_b) + class FixedHTTPRedirectHandler(urllib.request.HTTPRedirectHandler): """ urllib2.HTTPRedirectHandler before 3.13 has two flaws: @@ -305,6 +317,9 @@ class Wget(FetchMethod): Until we depend on Python 3.13 onwards, copy the redirect_request method to fix these issues. + + Additionally, strip sensitive headers (Authorization, Cookie) when + redirecting to a different origin to avoid credential leaks. """ def redirect_request(self, req, fp, code, msg, headers, newurl): m = req.get_method() @@ -324,8 +339,16 @@ class Wget(FetchMethod): newurl = newurl.replace(' ', '%20') CONTENT_HEADERS = ("content-length", "content-type") - newheaders = {k: v for k, v in req.headers.items() - if k.lower() not in CONTENT_HEADERS} + SENSITIVE_REDIRECT_HEADERS = ("authorization", "cookie") + same_origin = _same_origin(req.get_full_url(), newurl) + newheaders = {} + for k, v in req.headers.items(): + header = k.lower() + if header in CONTENT_HEADERS: + continue + if not same_origin and header in SENSITIVE_REDIRECT_HEADERS: + continue + newheaders[k] = v return urllib.request.Request(newurl, method="HEAD" if m == "HEAD" else "GET", headers=newheaders, From patchwork Wed Jun 10 07:40:13 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anders Heimer X-Patchwork-Id: 89618 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4D05ACD8CB9 for ; Wed, 10 Jun 2026 07:40:36 +0000 (UTC) Received: from DU2PR03CU002.outbound.protection.outlook.com (DU2PR03CU002.outbound.protection.outlook.com [52.101.65.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.14820.1781077226113159762 for ; Wed, 10 Jun 2026 00:40:26 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@est.tech header.s=selector1 header.b=WpWT6HCL; spf=pass (domain: est.tech, ip: 52.101.65.53, mailfrom: anders.heimer@est.tech) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=h/4xFTn2CQyorFYm9wn3FQ9L5t/zGHSPh3PBOMNtPVxfkbNTmU24EHeRumEZaJqxLIYB2ZpV72Gz0MEj24Q1qiEOEMQweiFc/6E44jU5EAeS8viqr5nlr0WCEbj2q1QMXC577zHxfi25tGKhWKmgt6Lkpl2H/8ej7348hHzAmkQalKf/wDJObfoJZYMR7VwgL8ZWyn0IMkMpHFre1eQjmENM4jV47QiG4OeCUoSNkwpfwADFzZVsbvv/KdisW0WmMMZYYQhXWFaSwswYfRZbGtTOQve8bvt5PDLBOKh/0InEg/T3NWWgQ0duF3cTEnE/wqs6i2HB+VPQGHIoEgeTXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KqNyziqvUtXtZSMwaM6HKml4gLBKuYqpRUKXqcmLcEw=; b=YYANHHT+UNrpG1a5hzBDLc0nBtYMZqPYuCv4T2cblfuVhgrgTD/T0/RsCjb+OJcMct9iK04uJx/Q0h2pMk69n93+rTZkfTBNRWyQRfvJzh4hJ90zBGO8npS7O8jVSmDVWqMIichRd2LjjHa0AZkNm6IEeVWetFJlV3TqjPqLCS8wDbBYB4w1TLR6ewU6fqQoQX0rG2d5ylD7aYiCuylWI921vsGj7x4UlP6piStB5wEyPCUIC78t5e6P0NWAcrI6cjjaOoyCiDpI972fh/5/MLg29oMpO6271TBx2xMRZFefNdgIGPiewE3kU0skw9eptBZafOWOPG/q4/JqB9KMOQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=est.tech; dmarc=pass action=none header.from=est.tech; dkim=pass header.d=est.tech; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=est.tech; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KqNyziqvUtXtZSMwaM6HKml4gLBKuYqpRUKXqcmLcEw=; b=WpWT6HCLa3U5qlXFHlGCHBw+0fbU/+Gb4MAmjPmCK76Vef8yqKwuyDbOJQrKtM50bGVXdvVdHYY3rshJbnU3LyZTfYdBPseaw1jFH7wwHyAmY4OAVU83XwSvYZSxdlVJPE+iy5UGJH+KuqMCArKJQEzZnMkVgyAP8CbqHJbkT5sOkvJ44sfzbi9i4VRA2nZGwdwh8YMAMKwWRN3a9VU5STQf26cdHpKPbapz+LsKyzYR1L8ELrNY25wNr78AIRZtbBLgDjI1X3J+SS07KRkGva/Q3FXSRZ68V29Lw8Mm9kCbURK9GhPg+KiAcPtXh2rso7uFIOvVm9ctukQp/oMhFw== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=est.tech; Received: from DB9P189MB1641.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:2ac::9) by DBBP189MB1290.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:1e2::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.14; Wed, 10 Jun 2026 07:40:23 +0000 Received: from DB9P189MB1641.EURP189.PROD.OUTLOOK.COM ([fe80::90da:b700:f102:5c82]) by DB9P189MB1641.EURP189.PROD.OUTLOOK.COM ([fe80::90da:b700:f102:5c82%6]) with mapi id 15.21.0113.011; Wed, 10 Jun 2026 07:40:23 +0000 From: Anders Heimer To: bitbake-devel@lists.openembedded.org CC: Anders Heimer Subject: [PATCH 2/2] tests/fetch: cover checkstatus redirect auth handling Date: Wed, 10 Jun 2026 09:40:13 +0200 Message-ID: <20260610074013.558709-3-anders.heimer@est.tech> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260610074013.558709-1-anders.heimer@est.tech> References: <20260610074013.558709-1-anders.heimer@est.tech> X-ClientProxiedBy: DUZPR01CA0275.eurprd01.prod.exchangelabs.com (2603:10a6:10:4b9::6) To DB9P189MB1641.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:2ac::9) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9P189MB1641:EE_|DBBP189MB1290:EE_ X-MS-Office365-Filtering-Correlation-Id: 8e3bd7ed-b555-4fe0-1f13-08dec6c387b0 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|1800799024|23010399003|366016|22082099003|18002099003|11063799006|56012099006; X-Microsoft-Antispam-Message-Info: MhNmKxqp/xfn5op4qp9kukg1TyK6aFqvi85+wYAxkgwJ42MEAGbNT8uI2GmslW+LRsuol0OT+C2t1y1qrDr81GbgehkHjvesTW5EGj/ATpWST2N1/iHkn16frjswz+61nNJWZrL1Xo1Fzc6+MAMqLxX8YmAfMsJVDMWDXtH2SSxIUnkp5QjbSht6kUb85ncYCr3mjNrQ24xNRf4FiTeZNoq0vnBiDaSZES4An0U3D+oyH2zTlMMzgDULn4vsWsE2Q9MMv7/pwfNvwHcO2BmnyI6oQmUZ5AfsXwlpOkUn1dB5dJznaW47FLAtVX1Yowl+kVcwkMunAFSBDQ/3EFPAJdvG5KV9Yb73TLnvTFMfdVUP5B3O82kZMJjv9c3F9G49Uvanl+a4sYpsbiFJoQH2CrodLg7V8bL+Uy0XTLkX8NK89vzY0Lh3vWBLEqybyrHb+5QdoT4G5tx3d+I/4WxnlIdGZdMbRuvurfJ/MhINOYUJOBdOlQyTXWQo7PmWKLfb+DOwvwFa3Hjz+L+de0WeQzjI48u/3JWNMynuZ9xBjI61DlMHpZL3wP3B92aj0K59OrRHHud8LRWpT2HrFHmA6HX/tUJP62dHPcUAGflB/VECoMPcdVvfSYAhUQGzBiBNbd9QYY50t1aCZ8Ckiy/bhg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9P189MB1641.EURP189.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(23010399003)(366016)(22082099003)(18002099003)(11063799006)(56012099006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: xxcu14Vb9OwUx8I6AbKtY4dI3uRA3wn6MN0qsZVde4DyeAlOTrv5ibPZxHPv7Nq7PIlGiC8+6sD0Tx+fCqGeOLIVWaPdefTQL2PT2/WluQUQ1jtz7oqZxYDPqMvyoYoevzs1XF4z1/j2091aAus179vEvzyR0eNp/192yhYo88GfhZ7p6VUiVGT5DK2IcTPhpfcTROuWMsDsoEMF4gs4LvkVB0eD8N+tggYpKDZAhHTYrSD6YieN7fepTF7C8PHBAy+jSYNrNgOVj/YoITcqvw5bT6PzQInz1KwQ4s2/Dd5PCFPaFlUN9w+cvC9LQ+KxKi73OKBY01JOg044rBmXmSDlS5//hHhuagXU/UgJptM9mY8CdgNYdwqk2LBXKQiYCgZeWXji8OcReI043ztl9vIZUjkZIprLqQBvpQabvTeHNcgOMZIfuGFYoC1liRPn8NCLYFEqa8PyXaATRgaViiH8u/h6hasYoI1YdyJ/OynrT0Um5fF89I+kfBwZm+u/PD9dknn+GsijbnEQPAKAIhHMnbbk9G9Ye5d3P1DTdNQUYqf3ky7bHCc9Y5kGc+kfWotN13FilaEDkkG2KGBSFFPgXsWss+RQd6QRg4Zp8zic+loqnYtU3gmNq/Q5JFUb34FcoYs+Pza01K+t6o3YzmWE4h8FWjln8vkTEeV+nVxwYWGu7tfNTcAjcp/N84lNJHRjb84p6aHSa0MKfLTMTkX2DPQeK1huke4x8V7Jzeme45yJLS71+KU0nzDNkF/ywm902Y+GtnuLA4MY5dhVAuhXxX/LNRdIpFSue8nw3moRgUeqqmK6NJla92S5iTR0d9EurSGsQjIcQNehatc0xkiqTStAL0PFRGz8ws68NPF7jg/6/1V2YKZmZdgOl2pxyo+JX5njOxSp6lVE+WVVyR0SeEKnhA/jyT7x2C3K5emRXNHllL2yAu/PZ+MAuzfP4zlOFjQcWOjOV020gk9Z9bLjQHcmLEFlQJeGZ6eHpyCu5d0desAJqE0MKwMbmddSpeJanT2XXJujJ2NnMmuzo0p24XLGFR+tSbIHNaFQOWyvcNdYQf+PZUzMuhPJ0OFecxMNp9a6Ieg9v6d48LzQ3+UPQOP+YKLjTgccsDWvwHEYAOn5ScWugA/pg9LKVq/WOPOzl6p/a3GTRa9TOIwjWMqWLhYg1raKO+Eh8WjWQEmClfDV/aohsfrbsVPgLnBxgtR88LvaibI1Nf/vKeFa8INCyzNj3Wwg1ZxE9OJJJtB5qVXP+zcesuSROODgxAGe4x/VBNCG4yPbmSVPtDhC5ba8ZDSzLQScnWVuq6Lg2YGGEPem8OVje9gCDzOo7BBrHsB7M8q45O1Je6AW2wz5Xc602IqQoct8+DKinhNwaE6Fxo/2bHA4KJR6IN/JhY8tbGDL/LRag8E5d+8zKy3bp9JXpVTgVIjnr0Us5MCA5GV8q6jnK9y7lASlNQdXCzV/itBSKf/gpwps+6uQL7vElLNjh3Kqm7LNDKwJ30Du/K+I7vvlQ7KZ7zK/AH2oM/pjamodCYojFq0hixbopHf4j493NYnIdhZxT70u8UH+qq6PPA1Ul2bFwleznmCM6bekkp67qpBVXBeBkiMjpxAJhD9uhtyDmpb68jFHO3R+m5gi9Y2ys7w2RtzyrCw2GzxpzB8457e44sjhaSRXz0ofPfAUBTlxUlMIK4DvCWF/4UbI9w6MsAmQGc8v3Q8sJOzbkENgT8Bc33nlVyhaYZxngw== X-OriginatorOrg: est.tech X-MS-Exchange-CrossTenant-Network-Message-Id: 8e3bd7ed-b555-4fe0-1f13-08dec6c387b0 X-MS-Exchange-CrossTenant-AuthSource: DB9P189MB1641.EURP189.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jun 2026 07:40:23.1514 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d2585e63-66b9-44b6-a76e-4f4b217d97fd X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: cnterXCGdQcYt+yFAoTO+naziDBgi982wZgBnLoGmynnNiAcCwc57U0BK7kqJYJBXMmH1+f6pjvZmH+DEh5bsg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBP189MB1290 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 10 Jun 2026 07:40:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/bitbake-devel/message/19638 Add local HTTP server tests for Wget.checkstatus() redirects. They check that Authorization is kept for same-origin redirects and dropped when the target has a different origin. Signed-off-by: Anders Heimer --- lib/bb/tests/fetch.py | 62 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/lib/bb/tests/fetch.py b/lib/bb/tests/fetch.py index 95cf6c414..d021ad786 100644 --- a/lib/bb/tests/fetch.py +++ b/lib/bb/tests/fetch.py @@ -7,6 +7,7 @@ # import contextlib +import http.server import shutil import unittest import unittest.mock @@ -18,6 +19,7 @@ import os import signal import subprocess import tarfile +import threading from bb.fetch2 import URI import bb import bb.utils @@ -1716,6 +1718,41 @@ class FetchCheckStatusTest(FetcherTest): "ftp://sourceware.org/pub/libffi/libffi-1.20.tar.gz", ] + def _start_checkstatus_server(self): + class CheckStatusHTTPRequestHandler(http.server.BaseHTTPRequestHandler): + def do_HEAD(self): + self.server.requests.append((self.path, dict(self.headers))) + if self.path == "/a" and self.server.redirect_url: + self.send_response(302) + self.send_header("Location", self.server.redirect_url) + self.end_headers() + return + self.send_response(200) + self.end_headers() + + def log_message(self, format_str, *args): + pass + + server = http.server.HTTPServer(("127.0.0.1", 0), CheckStatusHTTPRequestHandler) + server.redirect_url = None + server.requests = [] + thread = threading.Thread(target=server.serve_forever, kwargs={"poll_interval": 0.05}) + thread.daemon = True + thread.start() + + def stop_server(): + server.shutdown() + thread.join() + server.server_close() + + self.addCleanup(stop_server) + return server + + def _checkstatus(self, url): + fetch = bb.fetch2.Fetch([url], self.d) + ud = fetch.ud[url] + return ud.method.checkstatus(fetch, ud, self.d) + @skipIfNoNetwork() def test_wget_checkstatus(self): fetch = bb.fetch2.Fetch(self.test_wget_uris, self.d) @@ -1743,6 +1780,31 @@ class FetchCheckStatusTest(FetcherTest): connection_cache.close_connections() + def test_wget_checkstatus_same_origin_redirect_keeps_auth(self): + server = self._start_checkstatus_server() + server.redirect_url = "http://127.0.0.1:%s/b" % server.server_port + + url = "http://127.0.0.1:%s/a;user=user;pswd=pass" % server.server_port + self.assertTrue(self._checkstatus(url)) + + self.assertEqual(len(server.requests), 2) + redirected_headers = {k.lower(): v for k, v in server.requests[1][1].items()} + self.assertIn("authorization", redirected_headers) + + def test_wget_checkstatus_different_origin_redirect_drops_auth(self): + origin = self._start_checkstatus_server() + target = self._start_checkstatus_server() + # Same host but different port is a different origin. + origin.redirect_url = "http://127.0.0.1:%s/b" % target.server_port + + url = "http://127.0.0.1:%s/a;user=user;pswd=pass" % origin.server_port + self.assertTrue(self._checkstatus(url)) + + self.assertEqual(len(origin.requests), 1) + self.assertEqual(len(target.requests), 1) + redirected_headers = {k.lower(): v for k, v in target.requests[0][1].items()} + self.assertNotIn("authorization", redirected_headers) + class GitMakeShallowTest(FetcherTest): def setUp(self):